Risk management: Steer a course to safety

What’s the importance of risk management in schools and why should heads and bursars give it attention? Well, schools are charged with fulfilling students’ educational needs and ensuring that they benefit from a safe learning environment. Here we speak to the experts about compliance and how you can ensure you’ve got it all right

Given the high stakes involved in managing large financial budgets and protecting distinctive reputations, bursars are expected to address risk management in a well-planned and modern manner. It’s also worth mentioning that it isn’t always sophisticated fraudulent attacks that result in schools suffering substantial monetary losses or reputational damage; evidence from KPMG suggests that even tried and tested methods present danger, as their Fraud Barometer analysis points out. ‘The motivation to deceive comes in a variety of forms. Many criminals are still prepared to rely on the traditional conman artistry of making financial gain through misplaced trust, attacking people’s vulnerabilities and sensibilities.’

Making finance staff aware of protocol, and the need to protect sensitive and confidential data, is one obvious method to discourage external threats but the emergence of new cyber-threats and tech-orientated deception mean that reacting badly to actions not perceived to be threatening can be catastrophic – in the context of information security this concept is often referred to as ‘social engineering’.

In short, this type of social engineering relies on the good faith or naivety of the subject to be duped and can involve a series of interactions with a criminal before they set up a ‘con’. For example, social engineering strategies are usually used to convince a target to open an email that contains a virus or a software package that will further expose them to fraudulent activity.

Simple steps – huge difference

Reported data breaches are also central to better understanding the frequency of cyber-attacks; bursars can learn much from the past mistakes of their school counterparts. Tilden Watson, head of education at Zurich Municipal, says that breaches of the Data Protection Act in schools have recently ranged from unauthorised disclosures of information by staff to incidents where data was lost or stolen by hackers. “Some simple steps can make a huge difference in preventing these data breaches, including installing firewalls and regularly updating antivirus software, encrypting sensitive data, password-protecting memory sticks and laptops, encouraging users to choose strong passwords and carefully managing user/admin access,” he explains.

Likewise, Rachele Kelsall, head of education practice at Hugh J Boswell, says that cyber risks – included in the overall category of liabilities and assessing financial impacts – is the top emerging risk that the company is currently discussing with schools. “The cost of cyber cover isn’t massive and, if you set that against a typical premium for buildings and contents insurance, the cyber cover would be a minimal percentage of the overall premium or insurance package,” she says. “I think there’s a recognition that pretty much every business will be subjected to attempts at hacking. Some will be more successful than others but schools are particularly vulnerable because of the type of data they hold, including sensitive pupil data.”

Responding to child abuse investigations

Moving beyond cyber risks, Rachel says that historical public liability or protection against non-recent abuse claims is another key emerging risk in the independent sector. It’s fair to concede that any traditional risk management assessment wouldn’t ordinarily include historical child abuse as a defining feature but the establishment of the Independent Inquiry into Child Sexual Abuse (IICSA), now chaired by Professor Alexis Jay, has placed the issue firmly in the spotlight.

Tips on mitigating against supplier fraud from Richard

Research new suppliers

  • Check company details with Companies House
  • Check how old the company is and if it has been dormant
  • Check that the address is legitimate
  • Have there been any recent changes to the company’s address or directors?
  • Is the company on any sanctions lists?
  • Check the company accounts to see if they are too good to be true, or filed early or late
  • Are the accounts credible given the trading period? Have they been prepared by a genuine accountant?

Since it was setup in May 2015 the IICSA has sought to investigate child safeguarding failings and inconsistencies within both the state and private education sectors through a, ‘comprehensive review and analysis of press reports’. While the inquiry extends to England and Wales, the BBC has recently named several schools in Scotland that are under investigation by the Scottish Child Abuse Enquiry whilst, in Northern Ireland, the chair of the Historical Institutional Abuse Inquiry launched its report in January.

Considering public interest and potential reputational damage, schools across the UK would be wise to develop a clear approach to dealing with investigations. In light of the obvious stigma associated with child sexual abuse cases – and the speed with which the mainstream media focus their gaze on them – it almost goes without saying that the merest hint of impropriety will be uncovered sooner rather than later. “We would strongly recommend that all schools consider and discuss the implications of the Inquiry within their governing bodies and senior leadership teams,” Rachel says. “It’s important that you are proactive and take steps to prepare now for a potential request for information, as timescales for responses are likely to be tight.”

Playing it smart

In focusing on these emerging trends, have schools been de-prioritising certain cover and/or have insurers seen a reduction of claims in one area or another? “I haven’t found it to be the case that schools have favoured one item over another and, in terms of adding something like cyber risk cover, it’s not a massive outlay,” Rachel says. She does, however, mention that schools are playing it smart where small claims are concerned and, rather than seeking relief from their insurance provider, they are putting their facilities teams to good use – letting them deal with small property damage and vandalism, for example.

Cyber risks and on-going child abuse investigations are not the sort of issues that bursars can afford to take lightly. Evidence from our experts suggests that both basic and sophisticated fraud threats continue to be of growing concern whilst stories relating to child abuse remain in the public eye and threaten to ruin reputations. Pre-empting these risks form the very basis of a successful risk management strategy and encouraging all staff to play an active part in minimising risk is just as important.

Key questions to ask when appointing a new supplier:

  • Obtain the full name, address, telephone, and email address of the company
  • Identify the ownership of the company
  • Request references, ideally from other schools or colleges.

Don’t forget to follow us on Twitter and keep up-to-date with the latest news and features